This tutorial shows you how to install an SSL certificate on SurgeMail, the Netwin mail server that handles SMTP, IMAP, POP3, and webmail in one daemon. You will paste the issued certificate and its intermediate chain into the SurgeMail web admin, restart the service, and verify that every secure port (submission, SMTPS, IMAPS, POP3S, and webmail HTTPS) presents the new certificate.
The steps below apply to current SurgeMail 8.x builds on Windows, Linux, and macOS. The web admin layout has been stable for many releases, so older 7.x installations follow the same flow.
Generate a CSR on SurgeMail
If you have already generated your CSR and received the SSL files from your Certificate Authority, skip part 1 and jump straight to the installation steps.
A CSR (Certificate Signing Request) is a block of encoded text that contains your contact details and the public key that pairs with the private key kept on the server. The Certificate Authority (CA) uses the CSR to verify your information before issuing the certificate. You have two options:
- Use our CSR Generator to create the CSR automatically. If you go this route, the private key is generated outside SurgeMail, so you will import the certificate together with the key when you install it.
- Generate the CSR inside SurgeMail itself by following our tutorial on how to generate a CSR on SurgeMail. The private key stays on the server, and the signed certificate slots in next to it.
When you place the SSL order, copy the entire CSR text including the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST lines, and paste it into the order form. Generating the CSR inside SurgeMail is the simpler path because the private key is already on the server, ready to be paired with the signed certificate the CA returns.
Install an SSL certificate on SurgeMail
After the CA validates your request and issues the certificate, you usually receive a ZIP archive by email. Extract it on your computer; you should have your primary (server) certificate and one or more intermediate (CA) certificates. SurgeMail expects them in PEM format, which is the default plain-text format most CAs supply (the file starts with —–BEGIN CERTIFICATE—–). If your files arrived as .crt, .cer, or .pem, open them in a plain-text editor (Notepad on Windows, or nano or vi on Linux and macOS) to confirm the PEM headers are present.
Step 1: Open the SSL Certificates page in the web admin
Sign in to the SurgeMail web admin in your browser. By default the secure admin interface is on port 7025 (for example https://mail.example.com:7025); the unencrypted admin port is 7026. Once you are in, open Globals > SSL Certificates Configure. This page lists every certificate SurgeMail knows about and is where you import a signed certificate, replace an existing one, or set a per-domain certificate.
Step 2: Paste the certificate and the intermediate chain
Open the entry for the domain whose CSR you generated, then locate the SSL Certificate(s) text field. Paste the issued certificate text first, with the intermediate certificate(s) directly below it, with no blank line between them. The combined block should look like this:
-----BEGIN CERTIFICATE-----
(Your primary / server certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your intermediate certificate)
-----END CERTIFICATE-----
Each BEGIN CERTIFICATE and END CERTIFICATE marker uses exactly five hyphens on each side, with no spaces. A mangled marker line (curly dashes, missing hyphens, or stray spaces) is the single most common reason a SurgeMail SSL import fails. If your CA supplied more than one intermediate, paste them in the order the CA documents, each block immediately under the previous one.
If the CSR was generated outside SurgeMail (for example with our CSR Generator), this same page also accepts the matching private key. Paste it into the private-key field on the form so SurgeMail can pair it with the certificate. If you generated the CSR inside SurgeMail, the private key is already on the server and you only need to paste the certificate chain.
Click Save at the bottom of the page. Behind the scenes, SurgeMail writes the certificate chain to ssl/surge_cert.pem and the private key to ssl/surge_priv.pem inside its install directory.
Step 3: Restart SurgeMail
SurgeMail loads the certificate at startup, so the new certificate is only served after a restart. Use whichever method matches your platform:
- Web admin: open Status > Restart Server (or use the equivalent Restart button on the dashboard).
- Windows: restart the SurgeMail service from services.msc.
- Linux: as root, run
tellmail shutdownand let the service supervisor start SurgeMail again, or use the init/systemd unit your installer registered (commonlysystemctl restart surgemail). - macOS: use the Stop and Start controls in the SurgeMail Manager, or restart the launchd job your installer registered.
A restart is also required after every renewal or re-issue, even when the domain has not changed.
Optional: harden SSL settings
While you are in the web admin, take the opportunity to apply a current security baseline. SurgeMail ships a one-line preset that enables modern cipher suites and switches off legacy protocol versions:
g_ssl_perfect "true"
On older installations you can also explicitly disable the deprecated SSL and early TLS versions:
g_ssl_disable "sslv2,sslv3,tlsv1,tlsv1_1"
These directives live with the other globals (set them via Globals > SSL in the web admin, or edit surgemail.ini directly). Save the changes and restart SurgeMail so they take effect on every TLS-enabled service.
Optional: automate renewals with Let’s Encrypt
If you would prefer not to manage paste-and-restart renewals by hand, SurgeMail has built-in Let’s Encrypt support from version 7.3j2 onward. Add the following to your globals, make sure port 80 is reachable directly by SurgeMail (not by Apache or IIS) so the HTTP-01 challenge can complete, then issue the update command:
g_ssl_per_domain "true"
g_ssl_auto "true"
g_webmail_port "80,7080"
tellmail ssl_update
This mode is best for green-field deployments. If you bought a commercial certificate (extended validation, multi-year coverage, or a wildcard), stay with the manual paste-in flow above.
Test your SSL installation
Once SurgeMail is back up, scan every service that should serve the certificate. Because SurgeMail handles multiple protocols from a single daemon, a single misconfigured port can break clients without affecting webmail (or the other way around). Test:
- Webmail HTTPS on port 7443 (or 443 if you fronted SurgeMail with a reverse proxy).
- SMTP submission on port 587 (STARTTLS) and SMTPS on port 465.
- IMAPS on port 993 and IMAP STARTTLS on port 143.
- POP3S on port 995 and POP3 STARTTLS on port 110.
Use our SSL Checker to verify the certificate and the full intermediate chain on the webmail port. For the mail-protocol ports, use a TLS-aware command-line tool from the server (for example openssl s_client -connect mail.example.com:993 for IMAPS, or openssl s_client -starttls smtp -connect mail.example.com:587 for SMTP submission). The certificate, the issuer chain, and the expiry date that come back should match the certificate you just installed.
If a client warns about the certificate after the install, the cause is almost always a missing intermediate. Re-check that the chain in the SSL Certificate(s) field includes the CA’s intermediate certificate, save again, and restart SurgeMail.
Frequently Asked Questions
In the SurgeMail web admin (default secure URL https://your-server:7025), open Globals > SSL Certificates Configure. That page is where you paste the certificate text the CA issued, add the intermediate chain, and save. After saving, restart SurgeMail so the new certificate is loaded by every service.
SurgeMail writes the certificate chain to ssl/surge_cert.pem and the private key to ssl/surge_priv.pem inside its install directory. The certificate file holds the primary certificate first, followed by the intermediate chain appended directly below it. You can also replace these two files on disk and restart SurgeMail; the result is identical to pasting the same content through the web admin.
Yes. SurgeMail loads its certificate when the service starts, so a save without a restart leaves clients on the old certificate. Restart from Status > Restart Server in the web admin, from services.msc on Windows, or with tellmail shutdown (and your supervisor’s restart command) on Linux. A restart is also required for every renewal and re-issue.
Test every TLS-enabled service: webmail HTTPS on 7443 (or 443 behind a proxy), SMTP submission on 587 and SMTPS on 465, IMAPS on 993 with STARTTLS on 143, and POP3S on 995 with STARTTLS on 110. The same certificate is served on all of them, so a difference between two ports usually means a stale process is still running and another restart is needed.
Yes. From version 7.3j2 onward, SurgeMail has built-in Let’s Encrypt (ACME) support. Set g_ssl_per_domain "true" and g_ssl_auto "true" in your globals, make sure port 80 is reachable by SurgeMail (not by another web server on the same host), then run tellmail ssl_update to provision and later renew the certificates. For commercial certificates or wildcards, install them manually through Globals > SSL Certificates Configure as covered above.
The most common cause is a missing intermediate certificate; the server certificate alone is not enough for clients to build the trust chain. Re-open SSL Certificates Configure, confirm the intermediate block sits directly below the primary certificate with no blank line, save, and restart SurgeMail. Also check that the client is connecting using the exact hostname listed in the certificate, since a mismatch between the connection address and the certificate’s common name or SAN triggers a warning even when the chain is valid.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


